Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Embedded cluster role to make podCreate working out of the box #38

Open
aballiet opened this issue May 7, 2024 · 0 comments
Open

Embedded cluster role to make podCreate working out of the box #38

aballiet opened this issue May 7, 2024 · 0 comments
Assignees
@loicmathieu
Labels
enhancement New feature or request

Comments

@aballiet
Copy link

aballiet commented May 7, 2024
edited
Loading

Feature description

Currently ones need to setup cluster role for Kestra in order to make it able to create Pods and stream execution logs.

We do it like this :

resource "kubernetes_cluster_role" "pod_creator" {
  metadata {
    name = "pod-creator"
  }

  rule {
    api_groups = [""]
    resources  = ["namespaces", "pods"]
    verbs      = ["get", "list", "watch", "create", "delete"]
  }
}

resource "kubernetes_cluster_role" "pod_log_reader" {
  metadata {
    name = "pod-log-reader"
  }

  rule {
    api_groups = [""]
    resources  = ["pods/log"]
    verbs      = ["get", "list"]
  }
}

resource "kubernetes_cluster_role" "pod_executor" {
  metadata {
    name = "pod-executor"
  }

  rule {
    api_groups = [""]
    resources  = ["pods/exec"]
    verbs      = ["get", "post"]
  }
}

resource "kubernetes_cluster_role_binding" "kestra_pod_creator" {
  metadata {
    name = "kestra-pod-creator"
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "pod-creator"
  }
  subject {
    kind      = "User"
    name      = "system:serviceaccount:kestra:default"
    namespace = "kestra"
  }
}

resource "kubernetes_cluster_role_binding" "kestra_pod_log_reader" {
  metadata {
    name = "kestra-pod-log-reader"
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "pod-log-reader"
  }
  subject {
    kind      = "User"
    name      = "system:serviceaccount:kestra:default"
    namespace = "kestra"
  }
}

resource "kubernetes_cluster_role_binding" "kestra_pod_executor" {
  metadata {
    name = "kestra-pod-executor"
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "pod-executor"
  }
  subject {
    kind      = "User"
    name      = "system:serviceaccount:kestra:default"
    namespace = "kestra"
  }
}

Whereas, it could be embedded directly in the Kestra helm chart using templating like Airbyte does here :

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "airbyte.serviceAccountName" . }}-role
rules:
  - apiGroups: ["*"]
    resources: ["jobs", "pods", "pods/log", "pods/exec", "pods/attach"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # over-permission for now
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ include "airbyte.serviceAccountName" . }}-binding
roleRef:
  apiGroup: ""
  kind: Role
  name: {{ include "airbyte.serviceAccountName" . }}-role
subjects:
  - kind: ServiceAccount
    name: {{ include "airbyte.serviceAccountName" . }}
{{- end }}
@aballiet aballiet added the enhancement New feature or request label May 7, 2024
@anna-geller anna-geller added this to the v0.18.0 milestone May 7, 2024
@loicmathieu loicmathieu self-assigned this May 10, 2024
@github-project-automation github-project-automation bot moved this to Backlog in Issues Jun 10, 2024
@anna-geller anna-geller removed this from the v0.18.0 milestone Aug 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@loicmathieu loicmathieu

Labels
enhancement New feature or request
Projects
Issues
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
4 participants
@loicmathieu @tchiotludo @aballiet @anna-geller